I do not condone the illegal modification of proprietary software in order to circumvent mechanisms put in place to preserve the integrity of copyrighted materials; nor do I wish to breach the DMCA. With that said, information should still flow freely and knowledge, regardless of how taboo, should be shared among a community of intellectual peers. I am not liable for anything the user-base of this community may do with the supplied knowledge.

Reverse engineering is an art; not a mere means to an end, but the first step to achieving digital awareness in a world of secrets. A man who finds an unlocked door may see the truth for a moment, but a man who can craft his own keys will see the truth for eternity.

EDIT; This post has been modified as of Tuesday, May 18th, 2010. Almost all technical information remains the same. Reviewing this post after several years, I decided it was time to fix some glaring grammar and punctuation mistakes. I like to think I replaced them with much less noticeable mistakes.

I have added information, and fixed many mistakes. I will continue to fix mistakes as I feel like it.

The original method I explained is also highly inefficient, but this was written back in 2004. Just keep your eyes peeled for updates and minor fixes if anyone still follows this post.

Tracing The Algorithm

We will be reviewing a security mechanism known as offline serial authentication. This method, while a commonplace, falls victim to a few key elements:

A) It assumes that the person with a unique serial number is a paying customer and should have full access to the software.

B) It also assumes the serial number has been issued, to that individual, by the developers of said software.

C) It verifies information in a environment that is under the end-users control.

If you would like to use a serial authentication system in your application, you should look into verifying each serial number against an online database. You can check them against a whitelist or blacklist, depending on the amount of work one would like to put in.

Whitelist Filtering: This will allow you allow/disallow access to your application based on what serial numbers you know are valid. I personally like this method, because it only requires me to keep track of data I am already sending to my customers and I can also attach each serial number to a unique account, Internet Protocol address, and other identifying bits of data to minimize the risk of this serial number being shared across the Internet.

Blacklist Filtering: This method is simply collecting all known pirated serial numbers and disallowing access to your application when one is found to be in use.

A good system can use both. One to ensure only a select group of people (customers) can use your product (by having them verify information against servers that are under your control with identifying data) and another to disallow use of your product that may have slipped through the cracks.

Online verification defeats keygenning as long as you do not offer any form of offline activation. In my personal opinion, if you allow any type of offline activation - then it is your own fault if your software is pirated.

Our primary goal is not to simply unlock the application, phish a serial number, or even ignore the mechanism as a whole (read as: patching) - but to manipulate the underlying mathematics put in place by the developers to supply us with an endless stream of valid serial numbers. This is known as keygenning.

So let's open this application up in W32DASM. This will give us a static overview of the application. Also known as "deadlisting".

After opening the application, the first thing that we should do to find what we are looking for is check the string references. The reason for doing this is so that we can find out where in all of this assembly code the algorithm we are looking for is -- it won't tell us exactly where, but it will give us a place to start looking.

Code:

"%X"
"Thanks for registering!"
"Invalid Serial"

As you can see in the string references above we can go to different vital parts of this application, such as; when the application accepts a serial, rejects a serial, and the variable used to store information.

We will take a look at the variable (%X) string, and as expected nothing much is in that function except for a few pushes, however, if we scroll up just a little bit we see the following:

We take note of this function because of the reference to the SendMessage API. In this specific application it is used to grab information that we entered into the program. Here is a description of the following function(s):

Code:

:004010E1 83F803 cmp eax, 00000003
:004010E4 0F8C93000000 jl 0040117D

The section of code above will take the information we entered into the name field of the program and check its length. If the length is less than the decimal value three (3) the program will simply start from the beginning until we enter a name that has a length greater than the decimal value of three (3).

This section of code above will move eax into edx, and then xor ecx and ebx against themselves to reset the registers to the value of zero (0). Now scroll down just a bit, and you will see the following:

Can you take a guess at what this function does? Well, let me just tell you. It's the function that generates a serial number. Here is a basic overview of the function for those who do not understand assembly code.

The Algorithm

Code:

movzx eax, byte ptr [ecx+00402050]

This will take the first character of eax which is the name we entered into the program. That character is then converted into it's ASCII equivalent, and then converted into Hex. Now remember when we xor'd ecx so it has a value of zero (0)? Well, we can think of [ecx+00402050] as [0+00402050].

We take eax (which has the hex value of the character), xor it by the hex value 00031337, add what we have in eax by the value DEADBEEF, multiply the value of eax by the value of 00000666, subtract the value of eax by the hex value 1BADBAB3, shift three places to the left, and last we xor the current value of eax by D34DD00D. Then we store the answer to all of the calculations into ebx so at the end of the loop ebx will hold a valid serial number.

Ecx is incremented by one (1), and then compared against edx (which holds the length of the name that we entered. For example, if we entered "CAT" this value would be three (3)). If ecx is not equal to edx we continue to cycle the loop.

That basically means ecx will gain + 1 each loop, and when ecx is equal to the length of character(s) in the name it will stop the loop because the serial number has been created.

Keygen Description

Now we have successfully figured out how the program generates the serial and the mathematics behind it. So now we can create a keygen for it.

If you are proficient in assembly, you can basically just take all of the mathematical operations in that code, and slightly modify it to get a fully working keygen, but if you use another language to write the keygen you will just have to simply apply the mathematics. Here is a description of how the keygen should operate in plain English.

* Take the input for a username

* Take each character of that name, and get it's ASCII value, and then convert that into Hex. (By each character I simply mean one character at a time, for example, "Troopa" would be taken apart each loop like "T" - "R" - "O" - "O" - "P" - "A"). Then simply apply the mathematics to the current string.

* Xor the current string in the loop by the hex value 00031337, add that value by DEADBEEF, multiply that value by 00000666, subtract that value by the hex value 1BADBAB3, shift three places to the left of the string, and last we xor the current value of the string by D34DD00D. Then we store the answer to all of the calculations into a new variable each loop so at the end of our loop that variable holds a valid serial number.

Well actually this is pertinent to security because of the way things are supposedly secure in the protection routine, by people studying and reversing things like this, software companies will have to make more secure, harder, etc. algorithms. Second of all cracking is nothing bad... it has nothing to do with using Sub7 like you might be used to using... . Reverse-engineering is an art as some professional reversers would say... 0mega, as Troopa said, this has nothing to do with hacking, or warez... can't you read?. It's not that hard to understand really. That all... .

Troopa is indeed walking a VERY fine line here, as no matter what the rationale we ARE talking about circumventing software protection systems. In the U.S. it could be construed as a violation of the DMCA just to discuss this subject.

That said...

Troopa's information would be invaluable to a developer seeking to harden his or her work against casual cracking. Of course there's really no such thing as truly uncrackable, but if you have an idea HOW cracks are made you can take steps to make it harder TO make one for a given application.

Developers are not taking nearly as many steps to protect their goods against being cracked as they should, and as a result end up having to raise their license prices to compensate for the loss. Learning how to break your own apps from a cracker is the best thing you can possibly do as a developer.

I've sat at the virtual feet of many a cracker in my day - before starting a software company of my own I was an op in several major warez channels on IRC, so I had access to EVERYTHING I could ever want - and it's helped me tremendously ever since with my own coding projects. Of my last three software releases, one took ten months to crack and the other two remain uncracked since 2001, all because I had learned a cracker's mentality when it came to security and approached protection with the mindset of "how would I best attack this." If more developers were to do so we'd provide a challenge worthy of the genuine code poets in the cracking universe AND keep our products from being so heavily bootlegged by the myriads of amateurs.

So, FWIW, if Troopa is willing to disclose the methods behind the madness I for one am grateful. There's a lot to learn from your own weaknesses.

You cannot secure against that which you do not understand. This same discussion happens everytime anyone posts theory regarding a code exploit, vulnerabilities of networks, and so on.

Knowledge is neither good or bad, it's what you apply it to that matters. The whole purpose for the existance of this forum is to share knowledge. If we were to follow the proposed line of reasoning we would soon reach a point where we would necessarily have to ban any and all discussion pertaining to any computer related topics, except perhaps things like "how do I install Outlook" or the Funny Section.

The author has used a generic example to illustrate the basics of reverse engineering and a glimpse at how one might analyze code looking for flaws. I do not believe this to be in any way imoral or unethical, anymore than the countless other posts we have throughout our forums regarding cryptanalisis, buffer overflows, network "tools", particular coding techniques regarding hooks and flaws in firewall design, et cetera.

Now, were this "how to crack application X", the case would obviously be different. But as it stands, I don't see any problems with it, barring the snippet which I removed where the author offered to provide a copy of the program for practicing purposes..

Now, were this "how to crack application X", the case would obviously be different. But as it stands, I don't see any problems with it, barring the snippet which I removed where the author offered to provide a copy of the program for practicing purposes..

was this a program he has written hisself, or was it someone elses?

Cause i think if he had written it for this purposes he has all right of linking it in his tut.

For the rest i totally agree with you guys, that's the main reason why i started to learn ASM. to crack my programs (and others to learn, not to use illegally).

Good point, hand't thought of that. Well, troopa: if the program you used here was an example created by yourself, or an open source program, or something for which you have the express permission of the author to use for these purposes, feel free to make it available here.

A member of our reverse-engineering group wrote this application so we could have something to play around with for a little while. I did have express permission to crack this software, and make public how this was done.

I understand why Capi took that part out of my post though, so if it's alright with the moderators I am more than happy to pass out this crackme to the community, PM me if you want a copy.

I understand why Capi took that part out of my post though, so if it's alright with the moderators I am more than happy to pass out this crackme to the community, PM me if you want a copy.

No problem at all there, now that you explained the circumstances.

I do appologize for jumping into conclusions - nothing directed at you, as I'm sure you understand it's always best to err on the side of caution in this sort of thing . Please feel free to make the program available in whatever way you feel appropriate, either publicly through a link here or through a more private venue.

Do you intend to follow this up with a more comprehensive tutorial/walkthrough?

What would you like to see enhanced? I can surely follow up on this if you would like me to, however, I was hoping to move on to a new subject for the community such as how nag screens are disabled.

I know that is a very simple thing to discuss, however, there might be some programmers here interested in knowing how it is done so they can better secure their code against an attack such as patching.

Quote:

I do apologize for jumping into conclusions - nothing directed at you, as I'm sure you understand it's always best to err on the side of caution in this sort of thing Wink.

Yes, I understand fully and I did not take a personal offense to it. I realize as a moderator you have the job of making sure content is within the rules of the community.

Quote:

Please feel free to make the program available in whatever way you feel appropriate, either publicly through a link here or through a more private venue.

Right now I don't have any place to host the file, but as soon as I get a new shell with web space I will be sure to post a link. For now I will just send it to people who ask me for it.

We take eax (which has the hex value of the character), xor it by the hex value 00031337, add what we have in eax by the value DEADBEEF, multiply the value of eax by the value of 00000666, subtract the value of eax by the hex value 1BADBAB3, shift three places to the left, and last we xor the current value of eax by D34DD00D. Then we store the answer to all of the calculations into ebx so at the end of the loop ebx will hold a valid serial number.

What are some of the other types of mathematics in ASM like What would be three places to the right and other stuff. Couldn't you use a hex calculator instead of a keygen? and if so where would be a good one?

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forum

Featured Links*

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!View a sample newsletter.